Computer network security specialists have a need for dealing with the massive amounts of data that are propagated through computer networks. The detection of network intrusions and misuse can be characterized as a problem of identifying suspicious patterns in a plethora of data. This kind of recognition task is well suited to visualization, wherein the human visual system is an unparalleled pattern recognition engine. There has been little work done in the area of visualizing large amounts of raw network data. Scatter plots are used for visualizing network data, but few can manage extremely large numbers of data points.
The primary known visualization techniques are variations on a node-and-link architecture. These techniques can be an effective way for visualizing connections between computers, but two considerations make the techniques ill-suited for the purpose of visualising large amounts of network data. First, two dimensions are used to locate the nodes. This can be valuable if either the position or distance provide meaningful data. However in a two-dimensional image it makes additional dimensions such as time difficult to represent clearly, in three dimensions occlusion and redundancy can become confounding issues. Second, due to the massive amount of data, the node-and-link representation often does not achieve the density possible with a bitmap, consider that in a two dimensional digital image it is difficult to visually represent more distinct data points than the number of pixels used to draw that image.
Of the three main example commercial network forensics tools available today, only one, eTrust, by Computer Associates, the successor of SilentRunner, emphasizes visualization techniques [2]. Most of the visualizations eTrust provides are based on a node and link foundation and few show raw network packets, instead indicating reconstructed sessions or other higher level data. Despite the generally good quality of eTrusts visualizations, a recent review of the latest version complains that none of them scale to handle larger data sets [3]. The article claims the most robust of the visualizations, the N-gram file clustering, is useful for thousands of data points, not tens-of-thousands.
Erbacher developed a glyph based network visualization [1]. It is a two-dimensional node-and-link visualization. The local network appears towards the bottom of the image and remote connections are placed above with their distance based on locality and criticality. To increase the dimensionality of the visualization the nodes and links are decorated according to the values of other parameters. For example a node's inner circle thickness represents the load on the system and the style and colour of the link represents the type of connection. This visualization is valuable as a view into the current state of the network, however it is not designed for post-mortem network analysis of captured data including temporal analysis of network traffic. Instead the analyst must make a temporal accommodation to find the patterns in a playback of the data.
Finally the NIVA visualization [4] provides a three dimensional node-and-link visualization that provides extra dimensions through colour and node size. This system was developed to explore the inclusion of haptic technology into the visualization methods of intrusion detection problems. In this visualization the usual layout maps three components of an IP address to spatial coordinates and the fourth to the size or colour of the node. The NIVA visualization also uses a helix layout technique to map a sequential data dimension to positions along a helical path. It appears that these visualizations are intended primarily for finding attacks targeted at a single system.                1 Erbacher, Robert F., Zhouxuan Teng, and Siddharth Pandit, “Multi-Node Monitoring and Intrusion Detection,” Proceedings of the IASTED International Conference On Visualization, Imaging, and Image Processing, Malaga, Spain, Sep. 9-12, 2002, pp. 720-725.        2 eTrust™ Network Forensics Release 1.0, Dec. 2004, http://www3.ca.com/Files/DataSheets/etrust_networkforensics_data_sheet.pdf        3 Shipley, Greg. “Body of Evidence” Secure Enterprise, Sep. 15, 2004.        4 Nyarko, Kofi, et al., “Network Intrusion Visualization with NIVA, an Intrusion Detection Visual Analyzer with Haptic Integration” Proceedings of the 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems, Mar. 24-25, 2002, pp. 277-285.        